Skip to content

Advanced configuration

You can update the following settings when HA is active, and it won't result in downtime.

Keepalive timer

The keepalive timer has the following settings:

  • The keepalive interval is the duration between two successive keepalive retransmissions.
  • The keepalive attempts are the number of attempts before determining whether a device has failed. For example, if you configure the keepalive request interval to 250 ms and keepalive attempts to eight, the device will be declared dead after 250 * 8 = 2 seconds.

Here's an example of the keepalive timer settings.

Keepalive configuration options.

Cluster ID

A cluster is a pair of devices operating in HA. Devices in the same cluster must share the same cluster ID. If you have multiple HA clusters, assign a different ID to each cluster.

Monitoring ports

If any monitored port goes down, the device leaves the cluster, and a failover occurs.

Peer administration port

The port used for administration purposes on the auxiliary device.

Using the hypervisor-assigned MAC address

When you run a virtual Sophos Firewall device, you don't need to turn on promiscuous mode on the vSwitch.

Failing back to the primary device

When a failover occurs, traffic is routed through the auxiliary device. Select this option if you want to move back automatically to the primary device when it recovers.

When you set a preferred primary device, the cluster behaves as follows:

  1. The device you're signed in to when you turn on this option becomes the preferred primary.
  2. Whenever the preferred primary device restarts or comes up again after a failover, it restarts the peer device once all services are started and synchronized. It then becomes the primary device again.

Here's an example of how this works:

Failback to primary device process.